1*6236dae4SAndroid Build Coastguard Worker /***************************************************************************
2*6236dae4SAndroid Build Coastguard Worker * _ _ ____ _
3*6236dae4SAndroid Build Coastguard Worker * Project ___| | | | _ \| |
4*6236dae4SAndroid Build Coastguard Worker * / __| | | | |_) | |
5*6236dae4SAndroid Build Coastguard Worker * | (__| |_| | _ <| |___
6*6236dae4SAndroid Build Coastguard Worker * \___|\___/|_| \_\_____|
7*6236dae4SAndroid Build Coastguard Worker *
8*6236dae4SAndroid Build Coastguard Worker * Copyright (C) Daniel Stenberg, <[email protected]>, et al.
9*6236dae4SAndroid Build Coastguard Worker *
10*6236dae4SAndroid Build Coastguard Worker * This software is licensed as described in the file COPYING, which
11*6236dae4SAndroid Build Coastguard Worker * you should have received as part of this distribution. The terms
12*6236dae4SAndroid Build Coastguard Worker * are also available at https://curl.se/docs/copyright.html.
13*6236dae4SAndroid Build Coastguard Worker *
14*6236dae4SAndroid Build Coastguard Worker * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15*6236dae4SAndroid Build Coastguard Worker * copies of the Software, and permit persons to whom the Software is
16*6236dae4SAndroid Build Coastguard Worker * furnished to do so, under the terms of the COPYING file.
17*6236dae4SAndroid Build Coastguard Worker *
18*6236dae4SAndroid Build Coastguard Worker * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19*6236dae4SAndroid Build Coastguard Worker * KIND, either express or implied.
20*6236dae4SAndroid Build Coastguard Worker *
21*6236dae4SAndroid Build Coastguard Worker * SPDX-License-Identifier: curl
22*6236dae4SAndroid Build Coastguard Worker *
23*6236dae4SAndroid Build Coastguard Worker ***************************************************************************/
24*6236dae4SAndroid Build Coastguard Worker
25*6236dae4SAndroid Build Coastguard Worker #include "curl_setup.h"
26*6236dae4SAndroid Build Coastguard Worker
27*6236dae4SAndroid Build Coastguard Worker #if defined(USE_HTTP3) && \
28*6236dae4SAndroid Build Coastguard Worker (defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_WOLFSSL))
29*6236dae4SAndroid Build Coastguard Worker
30*6236dae4SAndroid Build Coastguard Worker #ifdef USE_OPENSSL
31*6236dae4SAndroid Build Coastguard Worker #include <openssl/err.h>
32*6236dae4SAndroid Build Coastguard Worker #include "vtls/openssl.h"
33*6236dae4SAndroid Build Coastguard Worker #elif defined(USE_GNUTLS)
34*6236dae4SAndroid Build Coastguard Worker #include <gnutls/abstract.h>
35*6236dae4SAndroid Build Coastguard Worker #include <gnutls/gnutls.h>
36*6236dae4SAndroid Build Coastguard Worker #include <gnutls/x509.h>
37*6236dae4SAndroid Build Coastguard Worker #include <gnutls/crypto.h>
38*6236dae4SAndroid Build Coastguard Worker #include <nettle/sha2.h>
39*6236dae4SAndroid Build Coastguard Worker #include "vtls/gtls.h"
40*6236dae4SAndroid Build Coastguard Worker #elif defined(USE_WOLFSSL)
41*6236dae4SAndroid Build Coastguard Worker #include <wolfssl/options.h>
42*6236dae4SAndroid Build Coastguard Worker #include <wolfssl/ssl.h>
43*6236dae4SAndroid Build Coastguard Worker #include <wolfssl/quic.h>
44*6236dae4SAndroid Build Coastguard Worker #include "vtls/wolfssl.h"
45*6236dae4SAndroid Build Coastguard Worker #endif
46*6236dae4SAndroid Build Coastguard Worker
47*6236dae4SAndroid Build Coastguard Worker #include "urldata.h"
48*6236dae4SAndroid Build Coastguard Worker #include "curl_trc.h"
49*6236dae4SAndroid Build Coastguard Worker #include "cfilters.h"
50*6236dae4SAndroid Build Coastguard Worker #include "multiif.h"
51*6236dae4SAndroid Build Coastguard Worker #include "vtls/keylog.h"
52*6236dae4SAndroid Build Coastguard Worker #include "vtls/vtls.h"
53*6236dae4SAndroid Build Coastguard Worker #include "vquic-tls.h"
54*6236dae4SAndroid Build Coastguard Worker
55*6236dae4SAndroid Build Coastguard Worker /* The last 3 #include files should be in this order */
56*6236dae4SAndroid Build Coastguard Worker #include "curl_printf.h"
57*6236dae4SAndroid Build Coastguard Worker #include "curl_memory.h"
58*6236dae4SAndroid Build Coastguard Worker #include "memdebug.h"
59*6236dae4SAndroid Build Coastguard Worker
60*6236dae4SAndroid Build Coastguard Worker #ifndef ARRAYSIZE
61*6236dae4SAndroid Build Coastguard Worker #define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0]))
62*6236dae4SAndroid Build Coastguard Worker #endif
63*6236dae4SAndroid Build Coastguard Worker
64*6236dae4SAndroid Build Coastguard Worker #if defined(USE_WOLFSSL)
65*6236dae4SAndroid Build Coastguard Worker
66*6236dae4SAndroid Build Coastguard Worker #define QUIC_CIPHERS \
67*6236dae4SAndroid Build Coastguard Worker "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_" \
68*6236dae4SAndroid Build Coastguard Worker "POLY1305_SHA256:TLS_AES_128_CCM_SHA256"
69*6236dae4SAndroid Build Coastguard Worker #define QUIC_GROUPS "P-256:P-384:P-521"
70*6236dae4SAndroid Build Coastguard Worker
71*6236dae4SAndroid Build Coastguard Worker #if defined(HAVE_SECRET_CALLBACK)
keylog_callback(const WOLFSSL * ssl,const char * line)72*6236dae4SAndroid Build Coastguard Worker static void keylog_callback(const WOLFSSL *ssl, const char *line)
73*6236dae4SAndroid Build Coastguard Worker {
74*6236dae4SAndroid Build Coastguard Worker (void)ssl;
75*6236dae4SAndroid Build Coastguard Worker Curl_tls_keylog_write_line(line);
76*6236dae4SAndroid Build Coastguard Worker }
77*6236dae4SAndroid Build Coastguard Worker #endif
78*6236dae4SAndroid Build Coastguard Worker
wssl_init_ctx(struct curl_tls_ctx * ctx,struct Curl_cfilter * cf,struct Curl_easy * data,Curl_vquic_tls_ctx_setup * cb_setup,void * cb_user_data)79*6236dae4SAndroid Build Coastguard Worker static CURLcode wssl_init_ctx(struct curl_tls_ctx *ctx,
80*6236dae4SAndroid Build Coastguard Worker struct Curl_cfilter *cf,
81*6236dae4SAndroid Build Coastguard Worker struct Curl_easy *data,
82*6236dae4SAndroid Build Coastguard Worker Curl_vquic_tls_ctx_setup *cb_setup,
83*6236dae4SAndroid Build Coastguard Worker void *cb_user_data)
84*6236dae4SAndroid Build Coastguard Worker {
85*6236dae4SAndroid Build Coastguard Worker struct ssl_primary_config *conn_config;
86*6236dae4SAndroid Build Coastguard Worker CURLcode result = CURLE_FAILED_INIT;
87*6236dae4SAndroid Build Coastguard Worker
88*6236dae4SAndroid Build Coastguard Worker conn_config = Curl_ssl_cf_get_primary_config(cf);
89*6236dae4SAndroid Build Coastguard Worker if(!conn_config) {
90*6236dae4SAndroid Build Coastguard Worker result = CURLE_FAILED_INIT;
91*6236dae4SAndroid Build Coastguard Worker goto out;
92*6236dae4SAndroid Build Coastguard Worker }
93*6236dae4SAndroid Build Coastguard Worker
94*6236dae4SAndroid Build Coastguard Worker ctx->wssl.ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
95*6236dae4SAndroid Build Coastguard Worker if(!ctx->wssl.ctx) {
96*6236dae4SAndroid Build Coastguard Worker result = CURLE_OUT_OF_MEMORY;
97*6236dae4SAndroid Build Coastguard Worker goto out;
98*6236dae4SAndroid Build Coastguard Worker }
99*6236dae4SAndroid Build Coastguard Worker
100*6236dae4SAndroid Build Coastguard Worker if(cb_setup) {
101*6236dae4SAndroid Build Coastguard Worker result = cb_setup(cf, data, cb_user_data);
102*6236dae4SAndroid Build Coastguard Worker if(result)
103*6236dae4SAndroid Build Coastguard Worker goto out;
104*6236dae4SAndroid Build Coastguard Worker }
105*6236dae4SAndroid Build Coastguard Worker
106*6236dae4SAndroid Build Coastguard Worker wolfSSL_CTX_set_default_verify_paths(ctx->wssl.ctx);
107*6236dae4SAndroid Build Coastguard Worker
108*6236dae4SAndroid Build Coastguard Worker if(wolfSSL_CTX_set_cipher_list(ctx->wssl.ctx, conn_config->cipher_list13 ?
109*6236dae4SAndroid Build Coastguard Worker conn_config->cipher_list13 :
110*6236dae4SAndroid Build Coastguard Worker QUIC_CIPHERS) != 1) {
111*6236dae4SAndroid Build Coastguard Worker char error_buffer[256];
112*6236dae4SAndroid Build Coastguard Worker ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer));
113*6236dae4SAndroid Build Coastguard Worker failf(data, "wolfSSL failed to set ciphers: %s", error_buffer);
114*6236dae4SAndroid Build Coastguard Worker result = CURLE_BAD_FUNCTION_ARGUMENT;
115*6236dae4SAndroid Build Coastguard Worker goto out;
116*6236dae4SAndroid Build Coastguard Worker }
117*6236dae4SAndroid Build Coastguard Worker
118*6236dae4SAndroid Build Coastguard Worker if(wolfSSL_CTX_set1_groups_list(ctx->wssl.ctx, conn_config->curves ?
119*6236dae4SAndroid Build Coastguard Worker conn_config->curves :
120*6236dae4SAndroid Build Coastguard Worker (char *)QUIC_GROUPS) != 1) {
121*6236dae4SAndroid Build Coastguard Worker failf(data, "wolfSSL failed to set curves");
122*6236dae4SAndroid Build Coastguard Worker result = CURLE_BAD_FUNCTION_ARGUMENT;
123*6236dae4SAndroid Build Coastguard Worker goto out;
124*6236dae4SAndroid Build Coastguard Worker }
125*6236dae4SAndroid Build Coastguard Worker
126*6236dae4SAndroid Build Coastguard Worker /* Open the file if a TLS or QUIC backend has not done this before. */
127*6236dae4SAndroid Build Coastguard Worker Curl_tls_keylog_open();
128*6236dae4SAndroid Build Coastguard Worker if(Curl_tls_keylog_enabled()) {
129*6236dae4SAndroid Build Coastguard Worker #if defined(HAVE_SECRET_CALLBACK)
130*6236dae4SAndroid Build Coastguard Worker wolfSSL_CTX_set_keylog_callback(ctx->wssl.ctx, keylog_callback);
131*6236dae4SAndroid Build Coastguard Worker #else
132*6236dae4SAndroid Build Coastguard Worker failf(data, "wolfSSL was built without keylog callback");
133*6236dae4SAndroid Build Coastguard Worker result = CURLE_NOT_BUILT_IN;
134*6236dae4SAndroid Build Coastguard Worker goto out;
135*6236dae4SAndroid Build Coastguard Worker #endif
136*6236dae4SAndroid Build Coastguard Worker }
137*6236dae4SAndroid Build Coastguard Worker
138*6236dae4SAndroid Build Coastguard Worker if(conn_config->verifypeer) {
139*6236dae4SAndroid Build Coastguard Worker const char * const ssl_cafile = conn_config->CAfile;
140*6236dae4SAndroid Build Coastguard Worker const char * const ssl_capath = conn_config->CApath;
141*6236dae4SAndroid Build Coastguard Worker
142*6236dae4SAndroid Build Coastguard Worker wolfSSL_CTX_set_verify(ctx->wssl.ctx, SSL_VERIFY_PEER, NULL);
143*6236dae4SAndroid Build Coastguard Worker if(ssl_cafile || ssl_capath) {
144*6236dae4SAndroid Build Coastguard Worker /* tell wolfSSL where to find CA certificates that are used to verify
145*6236dae4SAndroid Build Coastguard Worker the server's certificate. */
146*6236dae4SAndroid Build Coastguard Worker int rc =
147*6236dae4SAndroid Build Coastguard Worker wolfSSL_CTX_load_verify_locations_ex(ctx->wssl.ctx, ssl_cafile,
148*6236dae4SAndroid Build Coastguard Worker ssl_capath,
149*6236dae4SAndroid Build Coastguard Worker WOLFSSL_LOAD_FLAG_IGNORE_ERR);
150*6236dae4SAndroid Build Coastguard Worker if(SSL_SUCCESS != rc) {
151*6236dae4SAndroid Build Coastguard Worker /* Fail if we insist on successfully verifying the server. */
152*6236dae4SAndroid Build Coastguard Worker failf(data, "error setting certificate verify locations:"
153*6236dae4SAndroid Build Coastguard Worker " CAfile: %s CApath: %s",
154*6236dae4SAndroid Build Coastguard Worker ssl_cafile ? ssl_cafile : "none",
155*6236dae4SAndroid Build Coastguard Worker ssl_capath ? ssl_capath : "none");
156*6236dae4SAndroid Build Coastguard Worker result = CURLE_SSL_CACERT_BADFILE;
157*6236dae4SAndroid Build Coastguard Worker goto out;
158*6236dae4SAndroid Build Coastguard Worker }
159*6236dae4SAndroid Build Coastguard Worker infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
160*6236dae4SAndroid Build Coastguard Worker infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
161*6236dae4SAndroid Build Coastguard Worker }
162*6236dae4SAndroid Build Coastguard Worker #ifdef CURL_CA_FALLBACK
163*6236dae4SAndroid Build Coastguard Worker else {
164*6236dae4SAndroid Build Coastguard Worker /* verifying the peer without any CA certificates will not work so
165*6236dae4SAndroid Build Coastguard Worker use wolfSSL's built-in default as fallback */
166*6236dae4SAndroid Build Coastguard Worker wolfSSL_CTX_set_default_verify_paths(ctx->wssl.ctx);
167*6236dae4SAndroid Build Coastguard Worker }
168*6236dae4SAndroid Build Coastguard Worker #endif
169*6236dae4SAndroid Build Coastguard Worker }
170*6236dae4SAndroid Build Coastguard Worker else {
171*6236dae4SAndroid Build Coastguard Worker wolfSSL_CTX_set_verify(ctx->wssl.ctx, SSL_VERIFY_NONE, NULL);
172*6236dae4SAndroid Build Coastguard Worker }
173*6236dae4SAndroid Build Coastguard Worker
174*6236dae4SAndroid Build Coastguard Worker /* give application a chance to interfere with SSL set up. */
175*6236dae4SAndroid Build Coastguard Worker if(data->set.ssl.fsslctx) {
176*6236dae4SAndroid Build Coastguard Worker Curl_set_in_callback(data, TRUE);
177*6236dae4SAndroid Build Coastguard Worker result = (*data->set.ssl.fsslctx)(data, ctx->wssl.ctx,
178*6236dae4SAndroid Build Coastguard Worker data->set.ssl.fsslctxp);
179*6236dae4SAndroid Build Coastguard Worker Curl_set_in_callback(data, FALSE);
180*6236dae4SAndroid Build Coastguard Worker if(result) {
181*6236dae4SAndroid Build Coastguard Worker failf(data, "error signaled by ssl ctx callback");
182*6236dae4SAndroid Build Coastguard Worker goto out;
183*6236dae4SAndroid Build Coastguard Worker }
184*6236dae4SAndroid Build Coastguard Worker }
185*6236dae4SAndroid Build Coastguard Worker result = CURLE_OK;
186*6236dae4SAndroid Build Coastguard Worker
187*6236dae4SAndroid Build Coastguard Worker out:
188*6236dae4SAndroid Build Coastguard Worker if(result && ctx->wssl.ctx) {
189*6236dae4SAndroid Build Coastguard Worker SSL_CTX_free(ctx->wssl.ctx);
190*6236dae4SAndroid Build Coastguard Worker ctx->wssl.ctx = NULL;
191*6236dae4SAndroid Build Coastguard Worker }
192*6236dae4SAndroid Build Coastguard Worker return result;
193*6236dae4SAndroid Build Coastguard Worker }
194*6236dae4SAndroid Build Coastguard Worker
195*6236dae4SAndroid Build Coastguard Worker /** SSL callbacks ***/
196*6236dae4SAndroid Build Coastguard Worker
wssl_init_ssl(struct curl_tls_ctx * ctx,struct Curl_cfilter * cf,struct Curl_easy * data,struct ssl_peer * peer,const char * alpn,size_t alpn_len,void * user_data)197*6236dae4SAndroid Build Coastguard Worker static CURLcode wssl_init_ssl(struct curl_tls_ctx *ctx,
198*6236dae4SAndroid Build Coastguard Worker struct Curl_cfilter *cf,
199*6236dae4SAndroid Build Coastguard Worker struct Curl_easy *data,
200*6236dae4SAndroid Build Coastguard Worker struct ssl_peer *peer,
201*6236dae4SAndroid Build Coastguard Worker const char *alpn, size_t alpn_len,
202*6236dae4SAndroid Build Coastguard Worker void *user_data)
203*6236dae4SAndroid Build Coastguard Worker {
204*6236dae4SAndroid Build Coastguard Worker struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
205*6236dae4SAndroid Build Coastguard Worker
206*6236dae4SAndroid Build Coastguard Worker DEBUGASSERT(!ctx->wssl.handle);
207*6236dae4SAndroid Build Coastguard Worker DEBUGASSERT(ctx->wssl.ctx);
208*6236dae4SAndroid Build Coastguard Worker ctx->wssl.handle = wolfSSL_new(ctx->wssl.ctx);
209*6236dae4SAndroid Build Coastguard Worker
210*6236dae4SAndroid Build Coastguard Worker wolfSSL_set_app_data(ctx->wssl.handle, user_data);
211*6236dae4SAndroid Build Coastguard Worker wolfSSL_set_connect_state(ctx->wssl.handle);
212*6236dae4SAndroid Build Coastguard Worker wolfSSL_set_quic_use_legacy_codepoint(ctx->wssl.handle, 0);
213*6236dae4SAndroid Build Coastguard Worker
214*6236dae4SAndroid Build Coastguard Worker if(alpn)
215*6236dae4SAndroid Build Coastguard Worker wolfSSL_set_alpn_protos(ctx->wssl.handle, (const unsigned char *)alpn,
216*6236dae4SAndroid Build Coastguard Worker (unsigned int)alpn_len);
217*6236dae4SAndroid Build Coastguard Worker
218*6236dae4SAndroid Build Coastguard Worker if(peer->sni) {
219*6236dae4SAndroid Build Coastguard Worker wolfSSL_UseSNI(ctx->wssl.handle, WOLFSSL_SNI_HOST_NAME,
220*6236dae4SAndroid Build Coastguard Worker peer->sni, (unsigned short)strlen(peer->sni));
221*6236dae4SAndroid Build Coastguard Worker }
222*6236dae4SAndroid Build Coastguard Worker
223*6236dae4SAndroid Build Coastguard Worker if(ssl_config->primary.cache_session) {
224*6236dae4SAndroid Build Coastguard Worker (void)wssl_setup_session(cf, data, &ctx->wssl, peer);
225*6236dae4SAndroid Build Coastguard Worker }
226*6236dae4SAndroid Build Coastguard Worker
227*6236dae4SAndroid Build Coastguard Worker return CURLE_OK;
228*6236dae4SAndroid Build Coastguard Worker }
229*6236dae4SAndroid Build Coastguard Worker #endif /* defined(USE_WOLFSSL) */
230*6236dae4SAndroid Build Coastguard Worker
Curl_vquic_tls_init(struct curl_tls_ctx * ctx,struct Curl_cfilter * cf,struct Curl_easy * data,struct ssl_peer * peer,const char * alpn,size_t alpn_len,Curl_vquic_tls_ctx_setup * cb_setup,void * cb_user_data,void * ssl_user_data)231*6236dae4SAndroid Build Coastguard Worker CURLcode Curl_vquic_tls_init(struct curl_tls_ctx *ctx,
232*6236dae4SAndroid Build Coastguard Worker struct Curl_cfilter *cf,
233*6236dae4SAndroid Build Coastguard Worker struct Curl_easy *data,
234*6236dae4SAndroid Build Coastguard Worker struct ssl_peer *peer,
235*6236dae4SAndroid Build Coastguard Worker const char *alpn, size_t alpn_len,
236*6236dae4SAndroid Build Coastguard Worker Curl_vquic_tls_ctx_setup *cb_setup,
237*6236dae4SAndroid Build Coastguard Worker void *cb_user_data, void *ssl_user_data)
238*6236dae4SAndroid Build Coastguard Worker {
239*6236dae4SAndroid Build Coastguard Worker CURLcode result;
240*6236dae4SAndroid Build Coastguard Worker
241*6236dae4SAndroid Build Coastguard Worker #ifdef USE_OPENSSL
242*6236dae4SAndroid Build Coastguard Worker (void)result;
243*6236dae4SAndroid Build Coastguard Worker return Curl_ossl_ctx_init(&ctx->ossl, cf, data, peer, TRNSPRT_QUIC,
244*6236dae4SAndroid Build Coastguard Worker (const unsigned char *)alpn, alpn_len,
245*6236dae4SAndroid Build Coastguard Worker cb_setup, cb_user_data, NULL, ssl_user_data);
246*6236dae4SAndroid Build Coastguard Worker #elif defined(USE_GNUTLS)
247*6236dae4SAndroid Build Coastguard Worker (void)result;
248*6236dae4SAndroid Build Coastguard Worker return Curl_gtls_ctx_init(&ctx->gtls, cf, data, peer,
249*6236dae4SAndroid Build Coastguard Worker (const unsigned char *)alpn, alpn_len, NULL,
250*6236dae4SAndroid Build Coastguard Worker cb_setup, cb_user_data, ssl_user_data);
251*6236dae4SAndroid Build Coastguard Worker #elif defined(USE_WOLFSSL)
252*6236dae4SAndroid Build Coastguard Worker result = wssl_init_ctx(ctx, cf, data, cb_setup, cb_user_data);
253*6236dae4SAndroid Build Coastguard Worker if(result)
254*6236dae4SAndroid Build Coastguard Worker return result;
255*6236dae4SAndroid Build Coastguard Worker
256*6236dae4SAndroid Build Coastguard Worker return wssl_init_ssl(ctx, cf, data, peer, alpn, alpn_len, ssl_user_data);
257*6236dae4SAndroid Build Coastguard Worker #else
258*6236dae4SAndroid Build Coastguard Worker #error "no TLS lib in used, should not happen"
259*6236dae4SAndroid Build Coastguard Worker return CURLE_FAILED_INIT;
260*6236dae4SAndroid Build Coastguard Worker #endif
261*6236dae4SAndroid Build Coastguard Worker }
262*6236dae4SAndroid Build Coastguard Worker
Curl_vquic_tls_cleanup(struct curl_tls_ctx * ctx)263*6236dae4SAndroid Build Coastguard Worker void Curl_vquic_tls_cleanup(struct curl_tls_ctx *ctx)
264*6236dae4SAndroid Build Coastguard Worker {
265*6236dae4SAndroid Build Coastguard Worker #ifdef USE_OPENSSL
266*6236dae4SAndroid Build Coastguard Worker if(ctx->ossl.ssl)
267*6236dae4SAndroid Build Coastguard Worker SSL_free(ctx->ossl.ssl);
268*6236dae4SAndroid Build Coastguard Worker if(ctx->ossl.ssl_ctx)
269*6236dae4SAndroid Build Coastguard Worker SSL_CTX_free(ctx->ossl.ssl_ctx);
270*6236dae4SAndroid Build Coastguard Worker #elif defined(USE_GNUTLS)
271*6236dae4SAndroid Build Coastguard Worker if(ctx->gtls.session)
272*6236dae4SAndroid Build Coastguard Worker gnutls_deinit(ctx->gtls.session);
273*6236dae4SAndroid Build Coastguard Worker Curl_gtls_shared_creds_free(&ctx->gtls.shared_creds);
274*6236dae4SAndroid Build Coastguard Worker #elif defined(USE_WOLFSSL)
275*6236dae4SAndroid Build Coastguard Worker if(ctx->wssl.handle)
276*6236dae4SAndroid Build Coastguard Worker wolfSSL_free(ctx->wssl.handle);
277*6236dae4SAndroid Build Coastguard Worker if(ctx->wssl.ctx)
278*6236dae4SAndroid Build Coastguard Worker wolfSSL_CTX_free(ctx->wssl.ctx);
279*6236dae4SAndroid Build Coastguard Worker #endif
280*6236dae4SAndroid Build Coastguard Worker memset(ctx, 0, sizeof(*ctx));
281*6236dae4SAndroid Build Coastguard Worker }
282*6236dae4SAndroid Build Coastguard Worker
Curl_vquic_tls_before_recv(struct curl_tls_ctx * ctx,struct Curl_cfilter * cf,struct Curl_easy * data)283*6236dae4SAndroid Build Coastguard Worker CURLcode Curl_vquic_tls_before_recv(struct curl_tls_ctx *ctx,
284*6236dae4SAndroid Build Coastguard Worker struct Curl_cfilter *cf,
285*6236dae4SAndroid Build Coastguard Worker struct Curl_easy *data)
286*6236dae4SAndroid Build Coastguard Worker {
287*6236dae4SAndroid Build Coastguard Worker #ifdef USE_OPENSSL
288*6236dae4SAndroid Build Coastguard Worker if(!ctx->ossl.x509_store_setup) {
289*6236dae4SAndroid Build Coastguard Worker CURLcode result = Curl_ssl_setup_x509_store(cf, data, ctx->ossl.ssl_ctx);
290*6236dae4SAndroid Build Coastguard Worker if(result)
291*6236dae4SAndroid Build Coastguard Worker return result;
292*6236dae4SAndroid Build Coastguard Worker ctx->ossl.x509_store_setup = TRUE;
293*6236dae4SAndroid Build Coastguard Worker }
294*6236dae4SAndroid Build Coastguard Worker #elif defined(USE_WOLFSSL)
295*6236dae4SAndroid Build Coastguard Worker if(!ctx->wssl.x509_store_setup) {
296*6236dae4SAndroid Build Coastguard Worker CURLcode result = Curl_wssl_setup_x509_store(cf, data, &ctx->wssl);
297*6236dae4SAndroid Build Coastguard Worker if(result)
298*6236dae4SAndroid Build Coastguard Worker return result;
299*6236dae4SAndroid Build Coastguard Worker }
300*6236dae4SAndroid Build Coastguard Worker #elif defined(USE_GNUTLS)
301*6236dae4SAndroid Build Coastguard Worker if(!ctx->gtls.shared_creds->trust_setup) {
302*6236dae4SAndroid Build Coastguard Worker CURLcode result = Curl_gtls_client_trust_setup(cf, data, &ctx->gtls);
303*6236dae4SAndroid Build Coastguard Worker if(result)
304*6236dae4SAndroid Build Coastguard Worker return result;
305*6236dae4SAndroid Build Coastguard Worker }
306*6236dae4SAndroid Build Coastguard Worker #else
307*6236dae4SAndroid Build Coastguard Worker (void)ctx; (void)cf; (void)data;
308*6236dae4SAndroid Build Coastguard Worker #endif
309*6236dae4SAndroid Build Coastguard Worker return CURLE_OK;
310*6236dae4SAndroid Build Coastguard Worker }
311*6236dae4SAndroid Build Coastguard Worker
Curl_vquic_tls_verify_peer(struct curl_tls_ctx * ctx,struct Curl_cfilter * cf,struct Curl_easy * data,struct ssl_peer * peer)312*6236dae4SAndroid Build Coastguard Worker CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx,
313*6236dae4SAndroid Build Coastguard Worker struct Curl_cfilter *cf,
314*6236dae4SAndroid Build Coastguard Worker struct Curl_easy *data,
315*6236dae4SAndroid Build Coastguard Worker struct ssl_peer *peer)
316*6236dae4SAndroid Build Coastguard Worker {
317*6236dae4SAndroid Build Coastguard Worker struct ssl_primary_config *conn_config;
318*6236dae4SAndroid Build Coastguard Worker CURLcode result = CURLE_OK;
319*6236dae4SAndroid Build Coastguard Worker
320*6236dae4SAndroid Build Coastguard Worker conn_config = Curl_ssl_cf_get_primary_config(cf);
321*6236dae4SAndroid Build Coastguard Worker if(!conn_config)
322*6236dae4SAndroid Build Coastguard Worker return CURLE_FAILED_INIT;
323*6236dae4SAndroid Build Coastguard Worker
324*6236dae4SAndroid Build Coastguard Worker #ifdef USE_OPENSSL
325*6236dae4SAndroid Build Coastguard Worker (void)conn_config;
326*6236dae4SAndroid Build Coastguard Worker result = Curl_oss_check_peer_cert(cf, data, &ctx->ossl, peer);
327*6236dae4SAndroid Build Coastguard Worker #elif defined(USE_GNUTLS)
328*6236dae4SAndroid Build Coastguard Worker if(conn_config->verifyhost) {
329*6236dae4SAndroid Build Coastguard Worker result = Curl_gtls_verifyserver(data, ctx->gtls.session,
330*6236dae4SAndroid Build Coastguard Worker conn_config, &data->set.ssl, peer,
331*6236dae4SAndroid Build Coastguard Worker data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
332*6236dae4SAndroid Build Coastguard Worker if(result)
333*6236dae4SAndroid Build Coastguard Worker return result;
334*6236dae4SAndroid Build Coastguard Worker }
335*6236dae4SAndroid Build Coastguard Worker #elif defined(USE_WOLFSSL)
336*6236dae4SAndroid Build Coastguard Worker (void)data;
337*6236dae4SAndroid Build Coastguard Worker if(conn_config->verifyhost) {
338*6236dae4SAndroid Build Coastguard Worker if(peer->sni) {
339*6236dae4SAndroid Build Coastguard Worker WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->wssl.handle);
340*6236dae4SAndroid Build Coastguard Worker if(wolfSSL_X509_check_host(cert, peer->sni, strlen(peer->sni), 0, NULL)
341*6236dae4SAndroid Build Coastguard Worker == WOLFSSL_FAILURE) {
342*6236dae4SAndroid Build Coastguard Worker result = CURLE_PEER_FAILED_VERIFICATION;
343*6236dae4SAndroid Build Coastguard Worker }
344*6236dae4SAndroid Build Coastguard Worker wolfSSL_X509_free(cert);
345*6236dae4SAndroid Build Coastguard Worker }
346*6236dae4SAndroid Build Coastguard Worker
347*6236dae4SAndroid Build Coastguard Worker }
348*6236dae4SAndroid Build Coastguard Worker #endif
349*6236dae4SAndroid Build Coastguard Worker return result;
350*6236dae4SAndroid Build Coastguard Worker }
351*6236dae4SAndroid Build Coastguard Worker
352*6236dae4SAndroid Build Coastguard Worker
353*6236dae4SAndroid Build Coastguard Worker #endif /* !USE_HTTP3 && (USE_OPENSSL || USE_GNUTLS || USE_WOLFSSL) */
354